Hi Malte,
hi there,
just downloaded the KDE3 update for SuSE 7.3 when I saw that (at least) kdelibs3-3.0-35.rpm is not signed with the Package Signing Key.
It makes me feel a bit nervous when I should install unsigned packages even if obtained directly from ftp.suse.com or ftp.gwdg.de, it was the same with some KDE 2.2.2 packages for SuSE 7.3, I have informed security@suse.de about this with KDE2 packages.
It would be nice if you would take signing more seriously and if you would check each package whether it is actually signed before offering it, no matter if it's just a KDE update or "official stuff" below .../i386/update/x.xx/
Actually, we do take the signatures very seriously, and it usually can't happen that an official update package gets offered on ftp.suse.com for download. Sometimes, it happens with the update packages that have been done by hand. I'll have the ones fixed that I've found in the 7.1 tree now.
Malte
Thanks,
Roman.
--
- -
| Roman Drahtmüller